Flash Updates Fix Many Bugs

This site may earn affiliate commissions from the links on this page. Terms of use.

New versions of Flash Professional and the Flash Player were released today. Both of these have significant new features justifying their major version increments (CS4 for Professional and 10 for Flash Player), but they also address security issues.

An Adobe advisory speaks obliquely about vulnerabilities fixed in the new version, but an advisory from Security-Assessment.com, the firm that found the bugs and alerted Adobe, goes into more detail. These heap overflows affect only Flash Professional, not the player. A patch is available for CS3 and the fixes are built into the new CS4.

The new Flash 10 player implements, among other new features, the ability to turn off clipboard access for Flash programs, and turns on this setting by default. This ability had recently become badly abused by malicious web sites as a cross-platform attack known as "Clipboard-Jacking." In all likelihood it has a new set of vulnerabilities as well.